I am developing an intranet application and would like to use the existing organisations Active Directory for user authentication and policy based role authorisation.
Can someone point me in the right direction? I am getting a bit confused (well actually a lot confused).
Thankyou
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Per Authentication and Autorization resources under http://docs.asp.net/en/latest/security/index.html
First start a new ASP.Net Web Application project, Pick the Web Application template then on the right pane press the “Change Authentication” button and pick “Windows Authentication”.
You can now use [Authorize] on a class or method to check basic authentication vs active directory as of RC2 you can simply use the group names ala [Authorize([email protected]"DOMAINGROUP")]
The now obsolete and cumbersome alternative (still works):
If you look at User.Claims you can see the groupsid keys exist for each of the user’s groups. Building off that you can do something like [Authorize(Policy="FOOBAR")] and define it in your Startup.ConfigureServices method via
services.AddAuthorization(
o => o.AddPolicy(
"FOOBAR",
p => p.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
"ENTER GROUP SID")
));
Note that the second param to RequireClaim is a string array to allow for multiple groups.
Also note to figure out group ids via this command line magic dsquery group -name “ENTER GROUP NAME” | dsget group -sid
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0